DevSecOps Is Important, but Can It Be Done Well?

Ask a DevSecOps evangelist what it’s all about, and they’ll tell you that it’s the mindset that makes everyone care about product security – an idyllic scenario where through changes to company workflows and addition of new tools, products are built in a more secure manner. Oh, and it’s supposed to be done in a seamless, pain-free manner, without adverse impact on delivery speed and quality. After all, it’s still all about agile development.

At first glance, it sounds great, albeit somewhat unrealistic. Obviously ,spreading the responsibility for security between developers, IT and DevOps will cause friction between teams, will impact development speed, will create a slew of other problems. But it also will make the product more secure than ever, ensuring that the attack surface is continuously reduced by everyone who can reduce it.

As the DevSecOps movement gains traction, its focus shifts from explaining why this concept is important – the myriad of data leaks and security incidents takes care of that issue quite well – to making it happen.

The core community starts building tools that are supposed to make the transition to this way of thinking possible. As it happens, at Cybellum we’ve been building such a tool for the past few years – one that’s designed to detect vulnerabilities unlike any other.

Our team of security researchers started with the assumption that the current processes are cumbersome and outdated, and looked at whether they can be simplified while remaining effective. We’ve arrived to two conclusions:

Automation is key, of course. Modern software is oftentimes complex enough as it is, and Continuous Delivery practices only add to this complexity. Testing each production build manually for vulnerabilities in a thorough manner will grind agile processes to a halt.

Ease of use is paramount. Vulnerability detection can manifest in many different ways, but unless it comes with actionable items that can be understood by someone who’s not a security specialist, what good is it to a company that tries to make everyone care about security?

DevSecOps is much more than Dev+Sec+Ops

A proper combination of automation and ease of use can help implement DevSecOps practices within every facet of development . How high on the considerations list is the security of a 3rd party software,for a developer or a devops person who integrates them? Quite low, usually. Yet 3rd party code is a major security risk.

We think that to achieve DevSecOps integration, even those people should be able to be more informed about security, and make decisions based on knowledge rather than faith in someone else doing their job.

Cybellum’s Automated Vulnerability Detection Platform was built specifically for these purposes . It finds vulnerabilities without human intervention, without access to source code, even without having to tailor the platform to a specific product.

The vulnerabilities we’ve disclosed in 2017 are a testament to the progress we’ve made while training the platform to be not only effective, but efficient. Even someone who’s not versed in security research is able to use it now to get actionable intelligence about security vulnerabilities in binary files.

We’re also very happy that we aren’t alone in this space. Microsoft is doing security risk detection, open-source community is adapting existing products for DevSecOps, and more players are joining the fray every month.

2017 is the year when awareness to DevSecOps exploded. Next year is going to be one of implementations. We at Cybellum, for one, can’t wait to see what it bring to application security.